Keylogger
A keylogger is malicious software or hardware that records keystrokes to capture sensitive information such as passwords and messages.
What is a keylogger?
A keylogger (keystroke logger) is a surveillance tool designed to record every key pressed on a keyboard. The captured data is typically sent to an attacker or stored for later retrieval. Keyloggers can be software-based or hardware-based.
They are commonly used to steal credentials and confidential information.
Why keyloggers matter
Keyloggers are dangerous because they:
- Capture passwords and authentication data
- Bypass encryption by logging input before encryption
- Operate silently in the background
- Enable identity theft and account takeover
- Are often part of larger attack chains
They directly target user input - the last line of defense.
Types of keyloggers
Keyloggers are usually categorized as:
- Software keyloggers -- malware running on the operating system
- Kernel-level keyloggers -- operate with high privileges, harder to detect
- Browser-based keyloggers -- injected via malicious extensions or scripts
- Hardware keyloggers -- physical devices attached between keyboard and computer
Each type has different detection challenges.
How keyloggers are delivered
Common infection vectors include:
- Phishing emails and malicious attachments
- Trojanized software installers
- Exploited vulnerabilities
- Malicious browser extensions
- Drive-by downloads
- Physical access (for hardware keyloggers)
User execution or access is often required.
What data keyloggers collect
Keyloggers may capture:
- Usernames and passwords
- Banking and payment details
- Emails and messages
- Search queries
- Application commands
- Clipboard contents (in advanced variants)
Some also take screenshots or record sessions.
Keyloggers in attack chains
In real-world attacks, keyloggers are often used to:
- Harvest credentials for lateral movement
- Access email, VPN, or cloud services
- Enable follow-on attacks (ransomware, data theft)
- Maintain persistence in compromised environments
They are typically a credential harvesting stage.
Detection and prevention
Effective defenses against keyloggers include:
- Endpoint Detection and Response (EDR/XDR)
- Anti-malware with behavior analysis
- Application allowlisting
- Least-privilege execution
- Browser extension controls
- Physical security for hardware prevention
- User awareness and phishing training
Behavior-based detection is more effective than signatures alone.
Keylogger vs spyware
| Aspect | Keylogger | Spyware |
|---|---|---|
| Focus | Keystrokes | Broad user activity |
| Data scope | Input-centric | Multi-source |
| Visibility | Very stealthy | Varies |
| Usage | Credential theft | Surveillance |
Keyloggers are often a subset of spyware.
Legal and ethical considerations
Keylogging:
- Is illegal without explicit authorization
- May be permitted for security testing or monitoring with consent
- Must comply with privacy and labor laws
- Requires transparency and strict controls
Unauthorized keylogging is a serious violation.
Common misconceptions
- "Keyloggers only target Windows"
- "Virtual keyboards stop keyloggers"
- "Antivirus always detects keyloggers"
- "Keyloggers are obsolete"